SDK invasion: The little known threat to your privacy on Android

A new report from analytics company SafeDK has highlighted the danger that 3rd party SDKs pose to our privacy. The company tested over 190,000 free Android apps that were featured in Google
Play’s top charts against its database of over 1,000 3rd party SDKs. Alarmingly the testing showed that on average Android apps use 17 mobile SDKs. What that means is that not only do you need to trust the developer of any given app, by proxy you also need to trust 17 other developers with your privacy!

You might think that when you download an app from the Play Store that you are enjoying the labors of the app developer and not much else. OK, the app has some advertising, so maybe there is an SDK embedded in the app for that, and maybe there is something for analytics. Two SDKs, three tops. But what the latest Mobile SDKs Data Trends report highlights is that app developers are including (knowingly or maybe even unknowingly) dozens of third party SDKs in the code. Who is responsible for what these SDKs do?

According to SafeDK the fastest growing type of SDK used are Payment related SDKs, with over 45% of app now using them. For example, Skubit, a bitcoin Payment SDK, has skyrocketed in the past quarter, and is more frequently used than any other “traditional” Payment SDKs.

You might think that the excessive use of SDKs is only found in unpopular apps, hidden somewhere in a dark corner of the Play Store, however you would be wrong:

It seems that the more downloads an app has then the more SDKs it can include. Apps with anywhere from 100 million to 500 million downloads are using on average 23 SDKs! It is only when an app breaks that 1 billion downloads barrier that it seems to need less SDKs!

As for privacy, over 50% of apps have at least one SDK trying to access user location, one in ten apps have the ability to use a device’s microphone and 40% of apps have at least one SDK that reads the list of installed apps on a user’s device.

This last one is interesting, why do these SDKs need to know what other apps are installed on a device? What is worse is that the ability to read the installed app list isn’t protected by an Android permission the user can deny, the data is up for grabs by anyone.

However, Google’s Play Store policy states that users should be informed of this ability, at the very least in the privacy policy. The problem for indie app developers is that Google does not distinguish between the app and the activity of a third party SDK. This means an app could well be in violation of Google’s policies and the app developer might not even know it!

What do you think? Is the third party SDK invasion worrying? Are you concerned about what 3rd party SDKs are doing with your data? Please let me know in the comments below.